December 2003 UILU-ENG-03-2228 CRHC-03-14 OVERCOMING BYZANTINE FAILURES USING CHECKPOINTING Adnan Agbaria and Roy Friedman Coordinated Science Laboratory 1308 West Main Street, Urbana, IL 61801 University o fIllinois at Urbana-Champaign


Overcoming Byzantine Failures Using Checkpointing

Adnan Agbaria* Roy FriedmanCoordinated Science Laboratory Computer Science Department

University of Illinois at Urbana-Champaign Technion - Israel Institute of Technology Urbana, IL 61801, USA Haifa 32000, [email protected] [email protected]


1 In trodu ction

Byzantine failures are defined as arbitrary deviations of a process from its assumed behavior based on the algorithm it is supposed to be running and the inputs it receives. Such failures can occur, e.g., due to a software bug, a (transitional or permanent) hardware malfunction, or a malicious attack. Overcoming Byzantine failures is becoming increasingly important for several reasons. Increasingly, we depend on the accuracy and correctness of computation in daily life, and the damage caused by a bad computation can have a severe monetary cost. Also, as most computers are connected to the Internet nowadays, they are exposed to hackers, which increases the likelihood of malicious attacks. Finally, recent initiatives, such as GRID computing and peer-to-peer computing, rely on the ability to run computations on foreign computers that cannot be trusted.

Under appropriate synchrony assumptions, it is possible to overcome Byzantine failures by repli­cating the application on 3 / + 1 nodes, where / is the maximum number of simultaneous failures,

*Supported by DARPA contract no. F30602-00-C-0172.



and running an agreement protocol on each action [8, 12, 19]. Such an approach is required if each action is irrevocable, but is overly expensive in other settings, both in its communication costs and in the number of replicas [26]. Another way to overcome Byzantine failures is by using intrusion detection systems (IDSs) [20, 17]. Upon detection, the faulty process can be removed and may be replaced by another correct process. However, there are many experimental results showing that IDSs can only detect a small fraction of Byzantine failures. In addition, IDSs may produce false alarms that lead to removal of correct processes [23].

In particular, for scientific applications, it is possible to simply run the computation on multiple nodes, and choose the results that repeat more than a threshold number of times. A similar idea is used, e.g., by the SETI@HOME project [1]. However, such an approach is very wasteful, especially if we assume that most computations are failure-free. Moreover, faulty nodes are detected only at the end of the computation, furthers wasting system resources, and the mechanism relies on a single trusted entity to decide which computations are correct.

In this paper, we propose a different approach, which combines checkpoint/restart [3, 14, 24] with replication, and allows a computation to overcome Byzantine failures in deterministic compu­tations assuming operations are revocable. In our approach, each computation is carried by / + 1 independent replicas that must also periodically take a checkpoint of their state and store it in a globally accessible location. A different set of 3 / + 1 nodes, called auditors, are then used to verify that all / -1- 1 replicas have taken the same checkpoint. Otherwise, the auditors detect the correct checkpoint, eliminate the nodes that reported false checkpoints, and restart the computation from the last correct checkpoint. Clearly, the auditors are shared by many computations; thus, assuming a large pool of nodes and computations, each failure-free computation requires only / + 1 nodes. Moreover, even faulty computations require extra nodes only during the phases of the computation in which the failures occurred. Another interesting feature of our approach is that we do not rely on assumptions those o f ’’well-formed message” [21, 18] and ’’unstolen private keys” [26].

Since our approach is considered a kind of anomaly-based detection, which abnormalities are detected through comparison of the replicas’ states, we do not have false alarms, and our mechanism may be better than other IDS systems (such as Snort [2, 23]) at detecting worms.

The remainder of this paper is organized as follows. Section 2 describes the system model and basic definitions. Our approach of anomaly-based detection is presented in Section 3. In Section 4, we describe previous related work, and conclude our work in Section 5.

2 S ystem M odel, A ssu m p tion s, and D efin ition s

We consider a distributed system consisting of several processes communicating by sending mes­sages and operating under the timed asynchronous model assumptions [10]. In the system model, processes execute a protocol and have access to a local hardware clock and a datagram service. The



local hardware clocks of different processes are not precise, but we assume that their relative drift is bounded. The datagram service is used for communication between the processes. We assume that it only delivers messages that were sent by some particular process, that it delivers a message no more than once, and that it delivers all messages within a timeout (5 with high probability (messages are either delivered late or dropped with very low probability). Each process is associated with a local state, which includes its local variables and messages that were received from the datagram service. A computational step in our model is a function that takes as input the current local state of a process and generates a new local state and a list of messages for the datagram service to send. The protocol specifies the computational steps that should be performed and the messages that must be sent to other processes. We also assume that a process can handle computational steps within a bounded latency with high probability.

Failure to complete a computational step or deliver a message within the expected time bound is considered a performance failure. Additional failures that might occur are crash failures, in which a process completely fails by not performing any additional computational steps, omission failures, in which a message is never delivered, and Byzantine failures, in which a process can arbitrarily deviate from its protocol. However, we assume that processes cannot impersonate other processes,i.e., messages are authenticated. Clearly, Byzantine failures include all other forms of failures in the model. A process that suffers a failure is said to be faulty; otherwise, it is correct. The number of faulty processes is bounded by / .

Figure 1: A typical Checkpoint/Restart on an application

As presented in Figure 1, a checkpoint is the act of generating a file that includes a process



state during the course of execution of an application. Restart is the act of restarting the process from a checkpointed state/file. We assume that the computation tasks are such that a task can be restarted from any checkpoint on any process in the system.

3 Our A pproach

In this section, we explain our scheme for overcoming Byzantine failures under the assumptions outlined in Section 2. We designate a fixed set of 3 / + 1 processes to be the auditors, while all other processes are referred to as workers. We define a computational task to be a deterministic function and an associated set of input values for that function. In particular, in this work, we assume that a computational task can be completed without exchange of messages with other processes. The goal of the system is to compute the correct results of as many computational tasks as possible. The auditors send computational tasks to workers, which must compute the correct result of applying the function to the corresponding input values. However, completing a computational task may require multiple computational steps.

Due to the possibility of failures, the auditors send the same computation task to / + 1 workers. We assume that the exact same sequence of computational steps is performed by each worker. In order to monitor the computation, after each predefined number of computational steps, each worker takes a checkpoint of its state, and sends this checkpoint to all auditors. We assume that checkpoints taken at different workers after the same number of computational steps are exactly the same.1 Given the model assumptions, the auditors know a deadline by which each checkpoint must be delivered to them by each worker. For each checkpoint C*, the auditors run a Byzantine agreement protocol in which they decide if all workers submitted their checkpoints and if all checkpoints are the same. If the answer is positive, the auditors commit checkpoint C*.

Otherwise, either the auditors did not receive all checkpoints, or some checkpoints did not agree. If 1 < / < / + 1 workers failed to send their checkpoints in time to enough auditors, those workers are considered faulty, and the entire computational task, along with the previously committed checkpoint C{-1 , is sent to l new workers to continue from there. Otherwise, if some checkpoints did not match, the entire computational task along with C i-\ is sent to / additional workers. If that happens, after the new / workers submit their version of C*, the workers agree on which set of at least / + 1 workers has submitted the same checkpoints. The corresponding checkpoint is committed as the official C{. The workers that send different checkpoints are considered faulty, and the auditors never send computational tasks to them again. The computational task is then resumed from C{ on / + 1 unsuspected workers.

Note that for efficiency, the workers can initially send only a summary (e.g., MD5) of their

T f the com putation task involves invoking a pseudo-random number generator, we assume that all workers apply

the same seed on it.



checkpoint, and then the decided checkpoint can be retrieved from one of the correct workers. The auditors then need to compute the summary of the checkpoint they retrieve from the worker to verify that it is as expected. For simplicity, we present the protocol without this obvious optimization. In addition, if a faulty replica sends its checkpoint to a subset of the auditors, it will not affect the decision made by the auditors. Since the auditors run a Byzantine agreement to reach consensus, the decision remains correct only if there are no more than / faulty auditors.

A serial application is replicated to f + 1 replicas (processes), denoted by pi, • • • ,p/+\. The set of replicas is denoted by G(p). We recommend that each process run on a different physical machine, for hardening [26, 29].

In essence, the protocol works as follows. Every T time units, the auditors invoke a checkpoint request to Q{jp). Upon a checkpoint request, every replica pi takes a checkpoint CPi. Then, every Pi broadcasts d{CPi) to the auditors. After every auditor Ai has received all the checkpoint digests from Q{p), the auditors agree on the values of d(CPi) for each replica pi, 1 < i < / + 1. If all the checkpoint digests are valid and equivalent, then all the replicas are believed to be correct. Otherwise, the auditors try to find the faulty process(es) for removing them out of G(p). Actually, the auditors replay the last checkpoint interval to determine which processes are faulty.

The protocol starts working upon a checkpoint request to G(p)’, during the request, the following steps are performed.

1. Each replica pi takes a temporary checkpoint Cp. and then broadcasts a message containing d{Cp.) to A.

2. Whenever an auditor A ̂collects all the messages from all the replicas Q(p) within a time-out, it checks if all the digests are equivalent.

3. The auditors agree on correct digest values. If they agree that the digest values are equivalent, then the checkpoint digests are assumed to be from correct processes.

4. Otherwise, the auditors suspect that there is at least one faulty process in G(p). Then, they try to detect the faulty process by applying the following steps:

(a) Each auditor Ad restarts a replica of the application from the last committed checkpoint file.

(b) Each replica A ̂ takes a checkpoint of its replica after T units of time.

(c) The auditors agree on the correct checkpoint file, say C \.

(d) Then, they agree on the faulty replicas of G(p), denoted by F , by comparing C \ to C'p. for all 1 < i < f + 1.

5. The auditors stop the faulty replicas F.



6. CPi is committed as the correct checkpoint file.

7. \F\ replicas are restored in place of the faulty ones (on different nodes) from CPi.

Figure 2 presents the pseudo-code of the main function of the protocol. Notice that after the auditors agree to check if there is a faulty process in Q(p), each auditor Ad calls the function verifyLG with the process p as a parameter.

verifyLG (p)1 chkptNotify(^(p), 0)2 collectMsgs(C?(p), 0)3 agree(d(CPl) , . . . , d(CPf+1))4 If all the decided d(CPi) are equivalent5 chkptCommit(CrPl)6 Return {There are no suspected faulty processes in Q{p) }

{A ̂ suspects that some processes in Q{p) are faulty }{ Let F be the set of nodes that are suspected to run faulty process(es) }

7 (F,C) = detectFaulty (G(p))8 Stop the faulty replicas F9 chkptCommit (C)10: Restart |F | + 1 replicas from C

Figure 2: Auditor Ad verifies Q(p).

As depicted in Figure 2, the function verifyLG uses several functions. Below we explain each function, and for illustration, we present the pseudo-code of some functions.

• chkptNotify - The function chkptNotify(t/(p), T) tells all the replicas of Q{p) to take a checkpoint immediately after T units of time.

• collectM sgs - This function collects the digest values from Q{p) within a time-out.

• agree - Upon invoking the function agree(u), the auditors apply a consensus protocol [18, 22] to agree on the value of v.

• chkptCommit - This function commits the newest checkpoint files of Q{jp).

• detectFaulty - This function returns the set of the faulty processes and the correct checkpoint as described in Step 4 above.

Notice that after detecting the faulty processes, we can restart the replicas of Q{p) from the last committed checkpoint on different machines to avoid malicious attacks.



3.1 T h e P rotoco l P rop erties

In this section, we briefly discuss the safety and liveness of the protocol. We show that if there are faulty replicas, they will eventually be detected, and then replaced by correct replicas.

Since we have / +1 replicas running, there is always at least one correct replica running. If there are some faulty replicas that run out of the normal execution, then after capturing the replicas’ state by checkpointing, the auditors will see different states. That makes necessary for us to use 3 / + 1 processes (by auditors) to figure out the faulty replicas [8, 27].

In addition, since every checkpoint is committed after a Byzantine agreement has been reached among the 3 / + 1 auditors, each checkpoint represents a state of a correct replica. Upon detection of a faulty replica, a recovery is made through use of a committed checkpoint file to restart a new correct replica.

Finally, we would like to point out that most Byzantine agreement protocols, including [18, 22], ensure that if the same value is proposed by all correct processes, then this value will be decided on. This property prevents malicious auditors from forcing the others to execute the detectFaulty function when all workers have returned the same checkpoint.

4 R ela ted W ork

There is a large body of research on Byzantine fault tolerance for distributed systems [26, 5, 8, 18, 19, 22]. To the best of our knowledge, all of the existing papers assume that there are at least 3 / + 1 replicas to tolerate at most / faulty replicas that can occur at the same time, regardless of the number of actual failures. Our work is the first that relies on / + 1 replicas when there are no failures. However, when a failure occurs, our scheme employs a total of up to 5 / + 1 processes (3 / + 1 auditors, / + 1 workers that execute the task initially, and up to an additional / workers, depending on the number and type of failures, for re-executing the task after a failure).

In [18] Kihlstrom et al. extended the work of Chandra and Toung [9] on unreliable fault de­tectors for crash faults, by considering unreliable fault detectors for Byzantine faults. They used those detectors to reach consensus in an asynchronous distributed system. Similarly, Malkhi and Reiter [21] solved the consensus problem in asynchronous distributed systems, but unlike the al­gorithm of Kihlstrom et al., their consensus algorithm relies on a reliable broadcast service. In [8] Castro and Liskov presented a Byzantine fault tolerance algorithm for state machine replication [28]. As in [18, 21] and other papers, their algorithms relay on 3 / + 1 replicas. Other papers that solve general Byzantine agreement with unreliable failures detectors that can only detect mute failures include [6, 15].

In [26] Ramasamy et al. extended the Ensemble group communication toolkit [16] to support intrusion tolerance. Originally, Ensemble was designed for crash fault tolerance; Ramasamy et al.



re-implemented the reliable multicast and the group membership protocols to support Byzantine fault tolerance with 3 / + 1 replicas. This work was done to provide intrusion tolerance to the ITUA infrastructure [11].

Our work is not the first to combine the techniques of checkpoint/restart and replication for providing intrusion detection. Other projects that use such combinations are Starfish and Manetho. The Starfish system [4] uses such a combination to provide crash fault tolerance for both serial and message-passing applications. The Manetho system [13] gives the application the ability to choose either checkpoint/restart or replication techniques for providing crash fault tolerance.

Several papers [25, 30] used checkpoint/restart and duplication for detecting transient faults. Ziv and Bruck [30] adapted a transient fault-detection mechanism by taking a checkpoint of two replicas and then comparing their states. In addition, Black et al. [7] presented a technique dealing with fail-silent processes in the Voltan application programming environment using self-checking process pairs. Their work was based on hardware-based replication.

5 C onclusions

We have presented a scheme that enables deterministic computations to overcome up to / Byzantine failures using / + 1 replicas and 3 / + 1 auditors. The protocol is based on periodic checkpoints, and assumes that it is permissible to roll back the execution to a previous checkpoint. Our work so far does not address collaborative applications among several computing processes that are not replicas of the same program, as we assume that all replicas receive the same set of inputs. In the future, we intend to extend our protocol in that direction (i.e., to support distributed or parallel computations) and measure its costs empirically.

A cknow ledgm ents

We would like to thank William H. Sanders for his helpful comments and Jenny Applequist for her editorial assistance.

